One of the most important operators in the PRISM property specification language is the

operator, which is used to reason about the probability of an event's occurrence. This operator was originally proposed in the logic PCTL but also features in the other logics supported by PRISM, such as CSL. The **P**

operator is applicable to all types of models supported by PRISM.
**P**

Informally, the property:

P bound [ pathprop ]

is true in a state *s* of a model if
"the probability that path property `pathprop`

is satisfied by the paths from state *s*
meets the bound `bound`

".
A typical example of a bound would be:

P>0.98 [ pathprop ]

which means: "the probability that `pathprop`

is satisfied by the paths from state *s* is greater than 0.98". More precisely, `bound`

can be any of `>=p`

, `>p`

, `<=p`

or `<p`

,
where `p`

is a PRISM language expression evaluating to a double in the range [0,1].

The types of path property supported by PRISM and their semantics will be discussed shortly.

For models that can exhibit nondeterministic behaviour (MDPs or PTAs), some additional clarifications are necessary. Whereas for fully probabilistic models such as DTMCs and CTMCs, probability measures over paths are well defined (see e.g. [KSK76] and [BKH99], respectively), for nondeterministic models a probability measure can only be feasibly defined once all nondeterminism has been removed.

Hence, the actual meaning of the property `P bound [ pathprop ]`

in these cases is:
"the probability that `pathprop`

is satisfied by the paths from state *s*
meets the bound `bound`

*for all possible resolutions of nondeterminism*".
This means that, properties using the

operator then effectively reason about the
**P***minimum* or *maximum* probability, over all possible resolutions of nondeterminism,
that a certain type of behaviour is observed.
This depends on the bound attached to the

operator:
a lower bound (**P**`>`

or `>=`

) relates to minimum probabilities
and an upper bound (`<`

or `<=`

) to maximum probabilities.

It is also very often useful to take a *quantitative* approach to probabilistic model checking, computing the actual probability that some behaviour of a model is observed,
rather than just verifying whether or not the probability is above or below a given bound.
Hence, PRISM allows the

operator to take the following form:
**P**

P=? [ pathprop ]

These properties return a numerical rather than a Boolean value. The S and R operators, discussed later, can also be used in this way.

As mentioned above, for nondeterministic models (MDPs or PTAs), either minimum or maximum probability values can be computed. Therefore, in this case, we have two possible types of property:

Pmin=? [ pathprop ]

Pmax=? [ pathprop ]

Pmax=? [ pathprop ]

which return the minimum and maximum probabilities, respectively.

It is also possible to specify to which state the probability returned by a quantitative property refers. This is covered in the later section on filters.

PRISM supports a wide range of path properties that can be used with the

operator.
A path property is a formula that evaluates to either true or false for a single path in a model.
Here, we review some of the simpler properties that feature a single **P***temporal operator*,
as used for example in the logics PCTL and CSL. Later, we briefly describe how PRISM also supports more complex LTL-style path properties.

The basic different types of path property that can be used inside the

operator are:
**P**

: "ne**X****x**t"

: "**U****u**ntil"

: "eventually" (sometimes called "**F****f**uture")

: "always" (sometimes called "**G****g**lobally")

: "**W****w**eak until"

: "**R****r**elease"

In the following sections, we describe each of these *temporal operators*. We then discuss the (optional) use of time bounds with these operators. Finally, we also discuss LTL-style path properties.

The property

is true for a path if **X** prop`prop`

is true in its second state,
An example of this type of property, used inside a

operator, is:
**P**

P<0.01 [ X y=1 ]

which is true in a state if "the probability of the expression `y=1`

being true in the next state is less than 0.01".

The property `prop1 `

is true for a path if
**U** prop2`prop2`

is true in some state of the path and `prop1`

is true in all preceding states.
A simple example of this would be:

P>0.5 [ z<2 U z=2 ]

which is true in a state if "the probability that `z`

is eventually equal to 2, and that `z`

remains less than 2 up until that point, is greater than 0.5".

The property

is true for a path if **F** prop`prop`

eventually becomes true at some point along the path. The

operator is in fact a special case of the **F**

operator (you will often see **U**` `

written as **F** prop

). A simple example is:
**true** **U** prop

P<0.1 [ F z>2 ]

which is true in a state if "the probability that `z`

is eventually greater than 2is less than 0.1".

Whereas the

operator is used for "reachability" properties, **F**

represents "invariance". The property **G**

is true of a path if **G** prop`prop`

remains true at all states along the path. Thus, for example:

P>=0.99 [ G z<10 ]

states that, with probability at least 0.99, `z`

never exceeds 10.

Like

and **F**

, the operators **G**

and **W**

are derivable from other temporal operators.
**R**

Weak until (`a `

), which is equivalent to **W** b`(a `

, requires that **U** b) | **G** a`a`

remains true until `b`

becomes true, but does not require that `b`

ever does becomes true (i.e. `a`

remains true forever). For example, a weak form of the until example used above is:

P>0.5 [ z<2 U z=2 ]

which states that, with probability greater than 0.5, either `z`

is always less than 2, or it is less than 2 until the point where `z`

is 2.

Release (`a `

), which is equivalent to **R** b`!(!a U !b)`

, informally means that `b`

is true until `a`

becomes true, or `b`

is true forever.

All of the temporal operators given above, with the exception of

, have "bounded" variants, where an additional time bound is imposed on the property being satisfied.
The most common case is to use an upper time bound, i.e. of the form "**X**`<=t`

" or "`<t`

", where `t`

is a PRISM expression evaluating to a constant, non-negative value.

For example, a bounded until property `prop1 `

, is satisfied along a path if **U**<=t prop2`prop2`

becomes true within `t`

steps and `prop1`

is true in all states before that point.
A typical example of this would be:

P>=0.98 [ y<4 U<=7 y=4 ]

which is true in a state if "the probability of `y`

first exceeding 3 within 7 time units is greater than or equal to 0.98". Similarly:

P>=0.98 [ F<=7 y=4 ]

is true in a state if "the probability of `y`

being equal to 4 within 7 time units is greater than or equal to 0.98" and:

P>=0.98 [ G<=7 y=4 ]

is true if the probability of `y`

staying equal to 4 for 7 time units is at least 0.98.

The time bound can be an arbitrary (constant) expression, but note that you may need to bracket it, as in the following example:

P>=0.98 [ G<=(2*k+1) y=4 ]

You can also use lower time-bounds (i.e. `>=t`

or `>t`

) and time intervals `[t1,t2]`

, e.g.:

P>=0.98 [ F>=10 y=4 ]

P>=0.98 [ F[10,20] y=4 ]

P>=0.98 [ F[10,20] y=4 ]

which refer to the probability of `y`

becoming equal to 4 after 10 or more time units, and after between 10 and 20 time-units respectively.

For CTMCs, the time bounds can be any (non-negative) numerical values - they are not restricted to integers, as for DTMCs and MDPs. For example:

P>=0.25 [ y<=1 U<=6.5 y>1 ]

means that the probability of `y`

being greater than 1 within 6.5 time-units (and remaining less than or equal to 1 at all preceding time-points) is at least 0.25.

We can also use the bounded

operator to refer to a single time instant, e.g.:
**F**

P=? [ F[10,10] y=6 ]

or, equivalently:

P=? [ F=10 y=6 ]

both of which give the probability of `y`

being 6 at time instant 10.

PRISM also supports probabilistic model checking of the temporal logic LTL (and, in fact, PCTL*). LTL provides a richer set of path properties for use with the

operator, by permitting temporal operators to be combined. Here are a few examples of properties expressible using this functionality:
**P**

P>0.99 [ F ( "request" & (X "ack") ) ]

"with probability greater than 0.99, a request is eventually received, followed immediately by an acknowledgement"

P>=1 [ G F "send" ]

"a message is sent infinitely often with probability 1"

P=? [ F G ("error" & !"repair") ]

"the probability of an error occurring that is never repaired”

Note that logical operators have precedence over temporal ones, so you will often need to include parentheses when using logical operators, e.g.:

P=? [ (F "error1") & (F "error2") ]

For temporal operators, unary operators (such as

, **F**

and **G**

) have precedence over binary ones (such as **X**

). Unary operators can be nested, without parentheses, but binary ones cannot.
**U**

So, these are allowed:

P=? [ F X X X "a" ]

P=? [ "a" U X X X "error" ]

P=? [ ("a" U "b") U "c" "error" ]

P=? [ "a" U X X X "error" ]

P=? [ ("a" U "b") U "c" "error" ]

but this is not:

P=? [ "a" U "b" U "c" "error" ]